Adobe rolled out the latest Reader and Acrobat updates to address the latest Flash zero-day vulnerability as new exploits are discovered.
Adobe patched a critical Flash bug in Adobe Reader a few
days earlier than expected. Rogue PDF files exploiting the bug have recently been
detected in the wild, Adobe said.
This is Adobe's second out-of-band update to address a Flash
Player zero-day vulnerability in the past month. After a round of frenzied
patching in March, Adobe updated Flash Player
again on April 15. While the
company had had initially promised updates for Adobe Reader and Acrobat the
week of April 25, it beat its own deadline by delivering the patch on April 21.
The update is for users with Adobe Reader X (10.0.2) for
Macintosh, Adobe Reader 9.4.3 for Windows and Macintosh, Adobe Acrobat X (10.0.2)
for Windows and Macintosh, and Adobe
Acrobat 9.4.3 for Windows and Macintosh installed.
Adobe Reader on Android is not affected and will not be
patched. Adobe Reader X for Windows blocks the Flash code from executing
because of its Protected Mode sandbox technology. As a result, Adobe will patch
Reader X on June 14 as part of its regular security update. The Flash fix for
Android is still expected to be ready the week of April 25, as Adobe previously
Adobe disclosed the latest Flash bug
last week after an
independent security researcher found malicious Flash files embedded in Word
and Excel files in the wild. New exploits with Flash code in PDF files appeared
shortly after the initial advisory was posted, according to Adobe.
"There are reports that this vulnerability is being
actively exploited in the wild against both Adobe Flash Player, and Adobe
Reader and Acrobat," Adobe said in today's security advisory.
The latest rogue PDF files carry filenames referring to
China, Russia, the Obama administration and the Middle East, according to Mila
Parkour, the security researcher who reported the initial flaw to Adobe. The
files are attached to email messages purportedly from New York Times editors,
Parkour wrote on her Contagio
The exploits are using recent news events to trick users
into opening files, such as pretending to have information regarding Japan's
Fukushima nuclear reactor, China's trade policies or the political turmoil in
the Middle East.
When a user opens the infected file and triggers the rogue
Flash code, a remote attacker can take complete control of the system. The
attacker can access and steal user data or crash the user's machine in a denial
of service attack, Parkour said.
The latest updates also fixed a second vulnerability
(CVE-2011-0610) that Adobe said has not yet been exploited by attackers. The
memory corruption vulnerability in Acrobat and Reader's CoolType library could
result in code execution if exploited, Adobe said. The library processes
TrueType fonts in PDF files.
Adobe patched another zero-day vulnerability in March
was also exploited by malicious Flash code inside an Excel document. Despite
the similarity in the exploits, the two Flash vulnerabilities are unrelated and
were found in different parts of the code, according to Adobe.
Adobe categorized the updates as "critical" and recommended
users update their software immediately.